batman-adv: Fix memory leak on tt add with invalid vlan

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The object tt_local is allocated with kmalloc and not initialized when the
function batadv_tt_local_add checks for the vlan. But this function can
only cleanup the object when the (not yet initialized) reference counter of
the object is 1. This is unlikely and thus the object would leak when the
vlan could not be found.

Instead the uninitialized object tt_local has to be freed manually and the
pointer has to set to NULL to avoid calling the function which would try to
decrement the reference counter of the not existing object.

CID: 1316518
Fixes: 354136bcc3c4 ("batman-adv: fix kernel crash due to missing NULL checks")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Sven Eckelmann and committed by

David S. Miller 10 years ago fd7dec25 ff94c742

+4 -1

1 changed file

expand all

net

batman-adv

translation-table.c

+4 -1

net/batman-adv/translation-table.c

··· 595 595 /* increase the refcounter of the related vlan */ 596 596 vlan = batadv_softif_vlan_get(bat_priv, vid); 597 597 if (WARN(!vlan, "adding TT local entry %pM to non-existent VLAN %d", 598 - addr, BATADV_PRINT_VID(vid))) 598 + addr, BATADV_PRINT_VID(vid))) { 599 + kfree(tt_local); 600 + tt_local = NULL; 599 601 goto out; 602 + } 600 603 601 604 batadv_dbg(BATADV_DBG_TT, bat_priv, 602 605 "Creating new local tt entry: %pM (vid: %d, ttvn: %d)\n",